1 / 33

Lesson 6 Intrusion Detection Systems

Lesson 6 Intrusion Detection Systems. Overview. History Definitions Common Commercial IDS Specialized IDS. Why Even Bother?. “One of the problems with anomaly detection is that even the current best research systems have something like a 75% success rate.” Marcus Ranum

errin
Download Presentation

Lesson 6 Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 6Intrusion Detection Systems

  2. Overview • History • Definitions • Common Commercial IDS • Specialized IDS

  3. Why Even Bother? • “One of the problems with anomaly detection is that even the current best research systems have something like a 75% success rate.” Marcus Ranum Network Flight Recorder

  4. Intrusion Detection Defined • The process of monitoring the events occuring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network.

  5. General Thoughts about ID • No Defense is Impenetrable • Vulnerabilities exist to bypass system security precautions • Automated tools exist to find and exploit vulnerabilities • A methodology to detect and report suspicious host and network activity must be implemented • IDS Goal: to characterize attack manifestations to positively identify all true attacks without falsely identifying non-attacks • ID is an instance of the general signal detection problem

  6. Why use ID? • Increase the perceived risk of discovery and punishment • To detect attacks not prevented by other means • Detect and deal with probing • Document existing threats • QC for security design and admin • Forensics for improved security or prosecution

  7. Goals of IDS • Accountability - “I can deal with security attacks that occur on my systems as long as I know who did it (and where to find them.)” • Response - “I don’t care who attacks my system as long as I can recognize that the attack is taking place and block it.”

  8. History of ID • 1980 - John Anderson’s: Computer Security Threat Monitoring and Surveillance • 1987 - Dorothy Denning: An Intrusion Detection Model • Laid groundwork for commercial products • First IDS, circa 1993: USAF ASIM

  9. Generic Intrusion Detection Model Activity Profile Design New Profiles Event Generator Update Profile State Create Anomaly Records Rule Set/ Detection Engine Define new & modify existing rules Audit trails, network packets application logs CLOCK

  10. Rule Set - inference engine decides whether an intrusion has occurred or Generic detector examing events and state data using models, rules, patterns and statistics to flag intrusive behavior Activity Profile - Maintains state of system or network being monitored Feedback critical No architectural limitations Rule base can learn if programmed Model Components

  11. Current IDS Trends • Immature • Manpower intensive • High false alarm rates • Dynamic to the point of instability • Quietly Evolving

  12. Type of IDS • Signature based system • Attack description that can be matched to sense attack manifestations • Anomaly based detectors • equate “unusual” or “abnormal” as intrusions

  13. IDS Classification Can base classification on what they sense • Network based systems (NIDS) • Sense packets on a network segment • Easy to deploy, but they suffer throughout problems • Host-based systems (HIDS) • Inspect audit or log data • Can affect performance on host • Hybrids • Combine the best of both

  14. Intrusion Detection System--Network Based “A Layer in the Defense” Intrusion Detection System Other Network Defense Tools Adversary INTERNET External ROUTER FIREWALL DMZ Server(s) INTERNAL NETWORK

  15. NIDS • Some detect intrusions after the bad guy is inside….but at least you know • Others detect attacks (attack detect systems) • Location in architecture determines which one you have • Number of IDSes in architecture can add protetection • Balance comes between being inundated with false alarms or alert conditions requiring action • Ideal NIDs installation: start buy adding as few sensors as possible

  16. HIDS • Setup a HIDs like a selective burglar alarm • Deploy HIDs on critical servers devoid of interactive users • Configuration optios • Critical file modification • When log files get smaller • Process table grows larger than normal or too fast

  17. Five Functional Areas of HIDS Log/Event Monitoring File Integrity Checking Policy Compliance Network Traffic Monitoring System Monitoring Ref: Rasmussen, ISSA, Mar 02

  18. Honey Pot • New Player..not quite an IDS, but results are the same • Decoy System • Mislead Hackers • Begin Incident Response (early!)

  19. Centralized IDS Hierarchy Corporate Central Director All Business Offices ...

  20. Partially Distributed IDS Hierarchy Corporate Upper Domain Central Director Regional Offices Intermediate Domain Intermediate Director Intermediate Director Intermediate Director Intermediate Director Business Offices ... Lower Domain

  21. Fully Distributed IDS Hierarchy Corporate Upper Domain Central Director Regional Offices Intermediate Domain Intermediate Director Intermediate Director Intermediate Director Intermediate Director Business Offices ... Lower Domain

  22. Strengths of IDSes • Monitor and analysis of system events and user behaviors • Testing security states of system configurations • Recognizing known attack patterns • Recognizing anomalies • Measuring security policy enforcement • Managing Data Flow

  23. Weaknesses of IDSes • Compensating for weak or missing security mechanisms • Instantaneous detection, reporting, and attack response • Detecting newly published attacks • Compensating for info source fidelity • Reducing manpower needs

  24. IDS Adjusted Expectations • Consider a building with motion detectors • Works great when building is empty • But if activated during day many false positives • Building managers don’t expect them to work during the day • Its possible to set up network-based IDS (NIDS) and a host-based IDS (HIDS) to limit false positives

  25. IDS Fad • “ People buy the hottest IDS tool that will be very good about telling them about DOS in the network, but is useless detecting problems inside the host.” • Matt Bishop, UC Davis

  26. Defense-in-Depth • Key Security Concept • Usually considered in shallow ways • We don’t so good job implementing organization wide • Very seldom do we simultaneously simplify and improve security

  27. 5 Different Control Types • Protect - firewalls/router ACLs • Detect - IDSes • Recover - Incident Response/Recovery Plans • Deter - Laws and marketing • Transfer - Insurance

  28. Problem with Approaches • Each control has binary effectiveness • No security is perfect • Better approach is “synergistic security” • Success hinges on redundancy of security controls

  29. Security Synergy • Baye’s Theorem: • Effectivness(TOTAL)= 1-((1-E1)*(1-E2)*(1-E3)…) #Synergistic Controls Efficiency of Each Control 60% 70% 80% 90% 1 60 70 80 90 2 84 91 96 99 3 93.6 97.3 99.2 99.9 4 94.7 99.2 99.8 100 5 99 99.8 100 100

  30. Commercial Systems • Internet Security Systems: Real Secure • Cisco: Cisco Secure Intrusion Detection System • NFR Security: Network Flight Recorder • Niksun: NetDetector • Sandstorm: NetIntercept • Pentasafe: Vigilent Security Manager • SourceFire: Open Snort Sensor • Symantec: Intruder Alert&Enterprise Security Manager

  31. Government Systems • Air Force: Automated Security Incident Measurement Sensor (ASIMs) • DISA: Joint Intrusion Detection Sensor (JIDS)

  32. The Challenge • “The real challenge is for people who can write good models for the data that comes out. The problem we have is that different enterprise networks create quite different traffic. Trying to model it and pull out interesting patterns with it while minimizing false positives and thing like that, is very difficult. • Bob Gleichauf • Cisco Systems

  33. Summary • IDSes are still maturing • IDSes when used best are manpower intensive • IDSes are not silver bullets…they cannot overcome inherent security weaknesses • But, IDSes are usually the primary “detectors” to start the incident response process • Synergistic Security (Defense-in-depth) is the key

More Related